Malicious PDF — malware analysis report

Static analysis result for SHA-256 01b01a8c513fbaf0…

MALICIOUS

PDF

73.7 KB Created: 2021-04-03 08:29:53 +03:00 Authoring application: wkhtmltopdf 0.12.5 (via Qt 4.8.7)
MD5: 7db45c358a9e5e5f6fbd62ec666251a0 SHA-1: 43ff80a6807e479d9706cad887f4405b203ca34f SHA-256: 01b01a8c513fbaf035d6ca106af37eaecf8a122c65cdd93a35a1f42deaf4e21d
196 Risk Score

Malware Insights

MITRE ATT&CK
T1566.001 Spearphishing Attachment T1204.002 Malicious Link

The PDF contains numerous external links, many of which are part of a link farm, suggesting a phishing or SEO scam. The 'SE_CLICKFIX' heuristic indicates the document may instruct users to execute commands, a common social engineering tactic. ClamAV detection and ML classification confirm its malicious nature, likely as a phishing or trojan delivery mechanism.

Machine Learning

  • Nyx PDF Classifier malicious score 0.9998

Heuristics 6

  • Small PDF contains mass external PDF link farm critical PDF_SEO_LINK_FARM
    Small PDF contains many clickable external PDF links, mostly clustered on one host. This matches generated SEO/link-farm PDF carriers used to route users into malicious or unwanted-software delivery chains, rather than a normal document citation pattern.
  • ClamAV: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0 critical CLAMAV_DETECTION
    ClamAV detected this file as malware: Pdf.Phishing.Trojan-d2568dad23a94d95-d2568dad23a94d95-10044375-0
  • ClickFix social engineering attack high SE_CLICKFIX
    Document instructs the user to press Win+R or paste a command into a terminal — consistent with ClickFix attacks that bypass macro restrictions by tricking users into running malicious commands directly
  • External URI info PDF_URI
    PDF contains an external URL action
  • Object number defined twice with different bodies info PDF_DUPLICATE_OBJ_BODY_INCREMENTAL
    The same indirect object (N G) is defined more than once with different body bytes. First-wins and last-wins readers will resolve different content, which is a parser-confusion shape used by targeted PDFs. Body-only differences are common in benign incremental updates, so severity is raised only when the duplicate carries active content.
  • Embedded URL info EMBEDDED_URL
    One or more URLs were extracted from the document. The URL itself is not a detection — see the per-URL labels for which channel (macro, JS, link annotation, document body, ...) reached each URL.
    URL https://soxebez.ru/award?keyword=convert+pdf+to+word+online+nitro
    • http://zavulibalox.mypressonline.com/pronunciation_of_words_in_american_english.pdf
    • http://ziwusis.getenjoyment.net/derigatizilukava.pdf
    • http://dewodalaluw.mygamesonline.org/online_bangla_book_free_download.pdf
    • http://dapajurop.mygamesonline.org/retimonedikavoliv.pdf
    • http://zomixuxoluzijum.mywebcommunity.org/tratado_de_auriculoterapia_download.pdf
    • http://lenulari.mypressonline.com/how_to_use_a_pittsburgh_stud_finder.pdf
    • http://www.ascendercorp.com/
    • http://www.ascendercorp.com/typedesigners.html
    • https://c7e723d0-7712-45a3-a8dd-8d8935e7c5e2.filesusr.com/ugd/c4f451_786a2a476d754fa1b7c9163cea2c05a2.pdf?index=true
    • https://d19688e0-347f-4d9d-8cb3-d47c6e049f3d.filesusr.com/ugd/c618e9_9781ee5e189c4c2eb4fd47345620193c.pdf?index=true
    • https://592908bf-dd96-48cc-88d9-ffebbdd10d84.filesusr.com/ugd/f34823_c93384c055964616bf5b98b61c838f22.pdf?index=true
    • https://56352102-112a-4456-a677-0775450c4ed3.filesusr.com/ugd/ed4e87_0c5a8368bc6f484c8a0eaa236eca54cf.pdf?index=true
    • https://933afb0c-60ca-4ff4-ba38-e7c804ca925d.filesusr.com/ugd/941881_c5efc85cbda34454affd4b841468ee1b.pdf?index=true
    • https://51da6a7d-ee05-4a49-87ee-1b74af3aeb07.filesusr.com/ugd/b80405_a73f9914635e449eb1e3fdf4ca4bfeb3.pdf?index=true
    • https://52ed6390-a5c1-4502-9f93-599cf6d98ad1.filesusr.com/ugd/f7fbc8_aa4f5d699adc4a9989a0e8ff254a50b3.pdf?index=true
    • https://1c985592-4fe2-425a-b8d2-7dc24782370c.filesusr.com/ugd/a13bc2_fb70c50bd292470f842fa4a57ebf1e85.pdf?index=true
    • https://d04c2b29-3777-4fe6-aaa9-ab96f87c3324.filesusr.com/ugd/43eb95_6388b815660648d4b1d563725230c977.pdf?index=true
    • https://6674166f-eb58-46b1-9d38-a528bc95e02c.filesusr.com/ugd/e38d8e_73661bcafedd460a82c792248d353049.pdf?index=true
    • https://ee60c613-3dd1-430d-b711-08e3dcbf0273.filesusr.com/ugd/19ce5d_3bac55f746624e38a6c41eac51eefed1.pdf?index=true
    • https://f26e6bca-ce10-4524-9610-ed5ef7c8d48b.filesusr.com/ugd/ac8c68_b165c5beda4f44b8bfe0ef169df8af66.pdf?index=true
    • http://www.w3.org/1999/02/22-rdf-syntax-ns#
    • http://purl.org/dc/elements/1.1/
    • http://ns.adobe.com/pdf/1.3/
    • http://ns.adobe.com/xap/1.0/
    • http://ns.adobe.com/xap/1.0/mm/
    • http://ns.adobe.com/xap/1.0/rights/
    • http://scripts.sil.org/OFL

Extracted artifacts 2

Files carved from inside the sample during analysis.

FilenameKindSourceSize
font_00_sfnt_off0000e4e7.bin
2aa2416d3ef3edf9fd0d22810f6c68d39d108e1e54553d728a143110d6486fc5		 pdf-font-stream PDF embedded font (sfnt) at offset 0xE4E7 4704 bytes
font_01_sfnt_off0000f50c.bin
de8581b76482e0dc994e032856a3382be85f2616fa8cafaef781e47d10b1ca21		 pdf-font-stream PDF embedded font (sfnt) at offset 0xF50C 10600 bytes

Open this report in the interactive analyzer, or submit your own file for analysis.